unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
26f26e6283
puppet-prod/site/profiles/manifests/consul/client.pp
Ben Vincent f536d19034 feat: generate consul policy/tokens 
- generate policy/token to add nodes
- generate policy/token for all nodes
- add base::root profile to manage aspects of the root user
2024-04-27 20:21:57 +10:00

54 lines
1.8 KiB
Puppet
Raw Blame History

# profiles::consul::client
class profiles::consul::client (
String $secret_id_salt = '',
Stdlib::Fqdn $consul_hostname = 'consul.service.consul',
Enum['http','https'] $consul_protocol = 'http',
Stdlib::Port $consul_port = 8500,
String $consul_api_token = lookup('profiles::consul::server::acl_tokens_initial_management'),
) {
# Create ACL policy that allows nodes to update themselves and read others
consul_policy { $facts['networking']['hostname']:
description => "${facts['networking']['fqdn']} puppet-generated-policy",
rules => [
{
'resource' => 'node',
'segment' => $facts['networking']['hostname'],
'disposition' => 'write'
},
{
'resource' => 'node',
'segment' => '',
'disposition' => 'read'
}
],
acl_api_token => $consul_api_token,
hostname => $consul_hostname,
protocol => $consul_protocol,
port => $consul_port,
}
consul_token { $facts['networking']['hostname']:
accessor_id => fqdn_uuid($facts['networking']['fqdn']),
description => "${facts['networking']['fqdn']} puppet-generated-token",
policies_by_name => [$facts['networking']['hostname']],
acl_api_token => $consul_api_token,
secret_id => fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}"),
hostname => $consul_hostname,
protocol => $consul_protocol,
port => $consul_port,
}
# ensure the consul token is saved for the root user
file {'/root/.config/consul_node_token':
ensure => file,
owner => 'root',
group => 'root',
mode => '0600',
content => Sensitive(fqdn_uuid("${facts['networking']['fqdn']}-${secret_id_salt}")),
require => File['/root/.config'],
}
}
Reference in New Issue View Git Blame Copy Permalink